3CX Digs Out From Supply Chain Hack
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the newest headlines on all things software supply chain security, curated by the team at ReversingLabs . This week: 3CX said it is recovering from the software supply chain hack of its desktop client application. Also: researchers identify a remote code execution flaw in Azure Pipelines.?
This Week’s Top Story
3CX works to recover from software supply chain hack
The CEO of voice over IP (VoIP) software vendor 3CX reported this week that his company was making progress in recovering from a compromise of its software supply chain. CEO Nick Galea wrote to a customer support forum on Tuesday that his company has restored its Windows Electron client application - one target of the hack, which has been attributed to a North Korean advanced persistent threat (APT) group.??
3CX, which makes software for use in voice and video messaging said it knew of only “a handful of cases” where malware was used against 3CX customers who downloaded and installed a compromised update for the company’s 3CXDesktopApp client, Galea wrote.? The company said it has not seen any additional outbound malicious activity since removing infected files from the systems, though he cautioned that this did not mean customers were out of the woods.?
Reporting following disclosure of the 3CX revealed that the malicious actors my have had access to the company for months before the compromise of its client application was detected, on March 22nd. Clues in the attack point to a North Korean hacking group that is known to target cryptocurrency vendors - one possible motive for the attack.?But 3CX overlooked signals that its client software update had been tampered with before pushing it to customers.?
Galea said the company is changing its security procedures and practices to prevent such an attack from happening in the future.?
News Roundup
Here are the stories we’re paying attention to…
The Legit Security research team reported that is found a vulnerability in Azure Pipelines (CVE-2023-21553) CI/CD platform that allows an attacker to execute malicious code in a context of a pipeline workflow. The flaw could give attackers access to sensitive secrets, facilitate lateral movement within an organization, or fuel supply chain attacks, the company said. ( Legit Security )
A malicious campaign resulted in a denial-of-services (DoS) on the NPM open source registry, causing the service to be periodically unavailable.? Threat actors created malicious websites and published an exceptionally large volume of empty packages with links to those sites on npm, taking advantage of the good reputation of open-source ecosystems to lure users, according to a Checkmarx blog post on April 4. (SC Magazine)
According to the Splunk State of Security 2023 report, 62% of security leaders also said that their business-critical applications have suffered from unplanned downtime due to a cybersecurity incident on at least a monthly basis, an increase from 54% in 2022. The report also finds organizations are also focusing more on protecting their supply chain, with 95% of respondents saying they have increased their focus on third-party risk assessments. 91% of respondents agree that better capture and analysis of detection data is one of the most effective tools to prevent successful ransomware attacks. ( SiliconANGLE & theCUBE )
There are two kinds of secrets in Kubernetes: Built-in and customized. Built-in secrets are automatically created by Kubernetes service accounts and attached to containers along with API credentials. These can be disabled or overridden as needed. Customized secrets enable you to define your sensitive data and create a custom secret to store it.
领英推荐
While Kubernetes Secrets are safer and more flexible than direct deployment in the Pod or Docker image creation, there are several drawbacks. Kubernetes Secrets stores usernames and passwords as base-64 encoded strings. Although obscured from casual browsing, text encoding isn’t secure. This is even called out in Kubernetes Secret’s official documentation. ( Cloud Native Now )
Overall, if an organization uses open-source software, it must be on high alert for supply chain attacks. Hackers have become more strategic in exploiting open-source software and code in recent years, and this year will be no exception. Bad actors will closely observe the code and its components to gain a comprehensive understanding of its weaknesses, and the most effective ways to exploit them. ( SupplyChainBrain )
The ChatGPT artificial intelligence (AI) model has shown great potential for use in software development, but it also brings new risks David Adams writes for Information Age. Developers can use ChatGPT to generate code snippets, debug, test, and document functionality. However, the technology is notorious for its mistakes and - at this point - requires human oversight. ChatGPT's potential for use in software development could have significant social and commercial implications, but developers must also monitor potential legal and security risks, Adams writes. ( Information Age )
In recent years supply chain attacks have become much more commonplace, targeting vulnerabilities and getting legitimate apps to distribute malware. Betanews.com spoke to Nir Valtman, CEO and founder at Arnica, to discuss the issues these attacks raise and how organizations can defend against them. ( BetaNews, Inc. )
Semgrep is a code search tool that many use for security scanning (SAST). We added GPT-4 to our cloud service to ask which Semgrep findings matter before we notify developers, and on our internal projects, it seemed to reason really well about this task. We also tried to have it automatically fix these findings, and its output is often correct. ( Semgrep )
Hackers are taking over IP addresses and selling them as “proxyware” without authorization, according to researchers from digital security firm Sysdig. The team uncovered a new trend it calls “proxyjacking,” in which hackers leverage the Log4j vulnerability to gain initial access to a system or device before selling off its IP information to proxyware services. (The Record)
Now more than ever, organizations are relying on the supply chain for basic business operations. According to Charlie Jones, director of product management with ReversingLabs, there are two reasons for this: The global trend of digitalization and the rapid move to remote work during the pandemic. What those trends did was increase the reliance enterprise had on its supplier base, but it modified the way suppliers delivered their services, Jones explained during a session at the Supply Chain Security Summit. Vendors within the software supply chain were well positioned to meet these changes because of the ability to deliver their services over the internet. ( Security Boulevard )
Resource Round Up
Learn why the App Sec tools of yesterday are making way for Software Supply Chain Security of today.??80%+ of surveyed companies believe traditional SAST, DAST, & SCA technology don't fully protect them from software supply chain threats. This session discusses the reasons these analyses cannot provide effective risk management and breach response.?
ReversingGlass:?Full-Coverage Software Supply Chain Security Explained
In this episode, ReversingLabs Field CISO, Matt Rose lists and explains the various areas of the software supply chain that need to be covered with a modern security solution. He points out that just looking at the build system or open source software alone for threats will not provide full software supply chain security (SSCS) coverage.